Release 4.8.0 - Beta 3 - Installation assistant

[teddytpc1]

Installation assistant information

Main release candidate issue	https://github.com/wazuh/wazuh/issues/22283
Version	4.8.0
Release candidate	Beta 3
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-beta3
Previous Installation assistant	wazuh/wazuh#22122

---

Description

Test installation assistant with the -a option in the following OSs:

• Amazon Linux 2.
• RHEL 9.
• Ubuntu 22.04.

---

Checks

Status	OS	Check	Issues
:green_circle:	AL 2	Installed packages
:green_circle:	AL 2	Install logs
:yellow_circle:	AL 2	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	AL 2	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829
:green_circle:	AL 2	Wazuh dashboard logs
:green_circle:	AL 2	Wazuh dashboard
:green_circle:	RHEL 9	Installed packages
:green_circle:	RHEL 9	Install logs
:yellow_circle:	RHEL 9	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	RHEL 9	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829
:yellow_circle:	RHEL 9	Wazuh dashboard logs	Related issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6312
:green_circle:	RHEL 9	Wazuh dashboard
:green_circle:	Ubuntu 22.04	Installed packages
:green_circle:	Ubuntu 22.04	Install logs
:yellow_circle:	Ubuntu 22.04	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	Ubuntu 22.04	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829
:green_circle:	Ubuntu 22.04	Wazuh dashboard logs
:green_circle:	Ubuntu 22.04	Wazuh dashboard

---

Checks legend:

• Installed packages: the installed packages must match the ones specified in the documentation. If additional packages are installed by the installation assistant, the reason must be justified.
• Install logs: check that there are no errors in the WIA logs.
• Wazuh indexer logs: check that there are no errors in the indexer logs.
• Wazuh manager logs: check that there are no errors in the manager logs.
• Wazuh dashboard logs: check that there are no errors in the dashboard logs.

---

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Known issue :green_circle: - Approved

---

Conclusion

Some issues were found and they were reported.

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• [ ] @davidjiglesias
• [x] @teddytpc1

[davidcr01]

Environment

Amazon Linux 2

[root@ip-172-31-47-43 ec2-user]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[root@ip-172-31-47-43 ec2-user]# 

Ubuntu 22

root@ip-172-31-40-14:/home/ubuntu# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ip-172-31-40-14:/home/ubuntu# 

RHEL 9

[root@ip-172-31-45-210 ec2-user]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
[root@ip-172-31-45-210 ec2-user]# 

[davidcr01]

Install logs :green_circle:

Amazon Linux 2 :green_circle:

Log on the console:

```shellsession [root@ip-172-31-34-139 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a 05/03/2024 15:48:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:48:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log 05/03/2024 15:48:38 INFO: Verifying that your system meets the recommended minimum hardware requirements. 05/03/2024 15:48:38 INFO: Wazuh web interface port will be 443. 05/03/2024 15:48:41 INFO: Wazuh development repository added. 05/03/2024 15:48:41 INFO: --- Configuration files --- 05/03/2024 15:48:41 INFO: Generating configuration files. 05/03/2024 15:48:41 INFO: Generating the root certificate. 05/03/2024 15:48:41 INFO: Generating Admin certificates. 05/03/2024 15:48:41 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:48:42 INFO: Generating Filebeat certificates. 05/03/2024 15:48:42 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:48:42 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:48:42 INFO: --- Wazuh indexer --- 05/03/2024 15:48:42 INFO: Starting Wazuh indexer installation. 05/03/2024 15:50:26 INFO: Wazuh indexer installation finished. 05/03/2024 15:50:26 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:50:27 INFO: Starting service wazuh-indexer. 05/03/2024 15:50:48 INFO: wazuh-indexer service started. 05/03/2024 15:50:48 INFO: Initializing Wazuh indexer cluster security settings. 05/03/2024 15:50:59 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:50:59 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:50:59 INFO: --- Wazuh server --- 05/03/2024 15:50:59 INFO: Starting the Wazuh manager installation. 05/03/2024 15:51:51 INFO: Wazuh manager installation finished. 05/03/2024 15:51:51 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:51:51 INFO: Starting service wazuh-manager. 05/03/2024 15:52:09 INFO: wazuh-manager service started. 05/03/2024 15:52:09 INFO: Starting Filebeat installation. 05/03/2024 15:53:00 INFO: Filebeat installation finished. 05/03/2024 15:53:03 INFO: Filebeat post-install configuration finished. 05/03/2024 15:53:03 INFO: Starting service filebeat. 05/03/2024 15:53:04 INFO: filebeat service started. 05/03/2024 15:53:04 INFO: --- Wazuh dashboard --- 05/03/2024 15:53:04 INFO: Starting Wazuh dashboard installation. 05/03/2024 15:54:23 INFO: Wazuh dashboard installation finished. 05/03/2024 15:54:23 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:54:23 INFO: Starting service wazuh-dashboard. 05/03/2024 15:54:23 INFO: wazuh-dashboard service started. 05/03/2024 15:54:41 INFO: Updating the internal users. 05/03/2024 15:54:46 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 05/03/2024 15:55:45 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:55:46 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:55:46 INFO: --- Summary --- 05/03/2024 15:55:46 INFO: You can access the web interface https://:443 User: admin Password: 7iJ7TcB.ZPWps?L.n45+uFnhM1Hj*wHC 05/03/2024 15:55:46 INFO: Installation finished. [root@ip-172-31-34-139 ec2-user]# ```

Log in wazuh-install.log

```shellsession [root@ip-172-31-34-139 ec2-user]# cat /var/log/wazuh-install.log 05/03/2024 15:48:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:48:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log 05/03/2024 15:48:38 INFO: Verifying that your system meets the recommended minimum hardware requirements. 05/03/2024 15:48:38 INFO: Wazuh web interface port will be 443. [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-${releasever} - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 05/03/2024 15:48:41 INFO: Wazuh development repository added. 05/03/2024 15:48:41 INFO: --- Configuration files --- 05/03/2024 15:48:41 INFO: Generating configuration files. 05/03/2024 15:48:41 INFO: Generating the root certificate. 05/03/2024 15:48:41 INFO: Generating Admin certificates. 05/03/2024 15:48:41 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:48:42 INFO: Generating Filebeat certificates. 05/03/2024 15:48:42 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:48:42 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:48:42 INFO: --- Wazuh indexer --- 05/03/2024 15:48:42 INFO: Starting Wazuh indexer installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ================================================================================ Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed: wazuh-indexer.x86_64 0:4.8.0-1 Complete! 05/03/2024 15:50:26 INFO: Wazuh indexer installation finished. 05/03/2024 15:50:26 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:50:27 INFO: Starting service wazuh-indexer. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service. 05/03/2024 15:50:48 INFO: wazuh-indexer service started. 05/03/2024 15:50:48 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 05/03/2024 15:50:59 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:50:59 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:50:59 INFO: --- Wazuh server --- 05/03/2024 15:50:59 INFO: Starting the Wazuh manager installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-manager x86_64 4.8.0-1 wazuh 290 M Transaction Summary ================================================================================ Install 1 Package Total download size: 290 M Installed size: 878 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed: wazuh-manager.x86_64 0:4.8.0-1 Complete! 05/03/2024 15:51:51 INFO: Wazuh manager installation finished. 05/03/2024 15:51:51 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:51:51 INFO: Starting service wazuh-manager. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service. 05/03/2024 15:52:09 INFO: wazuh-manager service started. 05/03/2024 15:52:09 INFO: Starting Filebeat installation. 05/03/2024 15:53:00 INFO: Filebeat installation finished. wazuh/ wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/module.yml Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 05/03/2024 15:53:03 INFO: Filebeat post-install configuration finished. 05/03/2024 15:53:03 INFO: Starting service filebeat. Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service. 05/03/2024 15:53:04 INFO: filebeat service started. 05/03/2024 15:53:04 INFO: --- Wazuh dashboard --- 05/03/2024 15:53:04 INFO: Starting Wazuh dashboard installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-dashboard x86_64 4.8.0-1 wazuh 273 M Transaction Summary ================================================================================ Install 1 Package Total download size: 273 M Installed size: 902 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-dashboard-4.8.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.0-1.x86_64 1/1 Installed: wazuh-dashboard.x86_64 0:4.8.0-1 Complete! 05/03/2024 15:54:23 INFO: Wazuh dashboard installation finished. 05/03/2024 15:54:23 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:54:23 INFO: Starting service wazuh-dashboard. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service. 05/03/2024 15:54:23 INFO: wazuh-dashboard service started. 05/03/2024 15:54:41 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 05/03/2024 15:54:46 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ec2-user Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 05/03/2024 15:55:45 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:55:46 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:55:46 INFO: Installation finished. [root@ip-172-31-34-139 ec2-user]# ```

Ubuntu 22 :green_circle:

Log on the console:

```shellsession root@ip-172-31-32-170:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a 05/03/2024 15:48:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:48:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log 05/03/2024 15:48:53 INFO: Verifying that your system meets the recommended minimum hardware requirements. 05/03/2024 15:48:53 INFO: Wazuh web interface port will be 443. 05/03/2024 15:48:59 INFO: --- Dependencies ---- 05/03/2024 15:48:59 INFO: Installing apt-transport-https. 05/03/2024 15:49:12 INFO: Wazuh development repository added. 05/03/2024 15:49:12 INFO: --- Configuration files --- 05/03/2024 15:49:12 INFO: Generating configuration files. 05/03/2024 15:49:12 INFO: Generating the root certificate. 05/03/2024 15:49:12 INFO: Generating Admin certificates. 05/03/2024 15:49:13 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:49:13 INFO: Generating Filebeat certificates. 05/03/2024 15:49:13 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:49:14 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:49:14 INFO: --- Wazuh indexer --- 05/03/2024 15:49:14 INFO: Starting Wazuh indexer installation. 05/03/2024 15:51:06 INFO: Wazuh indexer installation finished. 05/03/2024 15:51:06 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:51:06 INFO: Starting service wazuh-indexer. 05/03/2024 15:51:31 INFO: wazuh-indexer service started. 05/03/2024 15:51:31 INFO: Initializing Wazuh indexer cluster security settings. 05/03/2024 15:51:42 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:51:42 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:51:42 INFO: --- Wazuh server --- 05/03/2024 15:51:42 INFO: Starting the Wazuh manager installation. 05/03/2024 15:53:25 INFO: Wazuh manager installation finished. 05/03/2024 15:53:26 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:53:26 INFO: Starting service wazuh-manager. 05/03/2024 15:53:50 INFO: wazuh-manager service started. 05/03/2024 15:53:50 INFO: Starting Filebeat installation. 05/03/2024 15:54:11 INFO: Filebeat installation finished. 05/03/2024 15:54:13 INFO: Filebeat post-install configuration finished. 05/03/2024 15:54:13 INFO: Starting service filebeat. 05/03/2024 15:54:15 INFO: filebeat service started. 05/03/2024 15:54:15 INFO: --- Wazuh dashboard --- 05/03/2024 15:54:15 INFO: Starting Wazuh dashboard installation. 05/03/2024 15:56:31 INFO: Wazuh dashboard installation finished. 05/03/2024 15:56:31 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:56:31 INFO: Starting service wazuh-dashboard. 05/03/2024 15:56:32 INFO: wazuh-dashboard service started. 05/03/2024 15:56:35 INFO: Updating the internal users. 05/03/2024 15:56:44 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 05/03/2024 15:57:51 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:57:52 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:08 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:23 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:58:23 INFO: --- Summary --- 05/03/2024 15:58:23 INFO: You can access the web interface https://:443 User: admin Password: +oZnJuo?.s96zU6LdvrLqY?xZykeqmsV 05/03/2024 15:58:23 INFO: Installation finished. root@ip-172-31-32-170:/home/ubuntu# ```

Log in wazuh-install.log

```shellsession root@ip-172-31-32-170:/home/ubuntu# cat /var/log/wazuh-install.log 05/03/2024 15:48:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:48:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB] Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Get:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB] Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB] Get:7 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1208 kB] Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB] Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB] Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB] Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B] Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1424 kB] Get:13 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [279 kB] Get:14 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [16.1 kB] Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1508 kB] Get:16 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [249 kB] Get:17 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [520 B] Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1052 kB] Get:19 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [237 kB] Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB] Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [42.1 kB] Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [10.1 kB] Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B] Get:24 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [41.7 kB] Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [10.5 kB] Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B] Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B] Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [24.3 kB] Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.5 kB] Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B] Get:31 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B] Get:32 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [219 kB] Get:33 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [11.4 kB] Get:34 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1480 kB] Get:35 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [245 kB] Get:36 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [520 B] Get:37 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [846 kB] Get:38 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [161 kB] Get:39 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB] Get:40 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.1 kB] Get:41 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7476 B] Get:42 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B] Fetched 29.9 MB in 5s (5494 kB/s) Reading package lists... 05/03/2024 15:48:53 INFO: Verifying that your system meets the recommended minimum hardware requirements. 05/03/2024 15:48:53 INFO: Wazuh web interface port will be 443. Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease Reading package lists... 05/03/2024 15:48:59 INFO: --- Dependencies ---- 05/03/2024 15:48:59 INFO: Installing apt-transport-https. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 172 not upgraded. Need to get 1510 B of archives. After this operation, 170 kB of additional disk space will be used. Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.11 [1510 B] Fetched 1510 B in 0s (86.2 kB/s) Selecting previously unselected package ap(Reading database ... 64295 files and directories c Preparing to unpack .../apt-transport-https_2.4.11 NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.2 kB] Fetched 54.5 kB in 1s (50.9 kB/s) Reading package lists... 05/03/2024 15:49:12 INFO: Wazuh development repository added. 05/03/2024 15:49:12 INFO: --- Configuration files --- 05/03/2024 15:49:12 INFO: Generating configuration files. 05/03/2024 15:49:12 INFO: Generating the root certificate. 05/03/2024 15:49:12 INFO: Generating Admin certificates. 05/03/2024 15:49:13 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:49:13 INFO: Generating Filebeat certificates. 05/03/2024 15:49:13 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:49:14 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:49:14 INFO: --- Wazuh indexer --- 05/03/2024 15:49:14 INFO: Starting Wazuh indexer installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 172 not upgraded. Need to get 749 MB of archives. After this operation, 1050 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.8.0-1 [749 MB] Fetched 749 MB in 13s (56.8 MB/s) Selecti(Reading database ... 64299 files and directories c Preparing to unpack .../wazuh-indexer_4.8.0-1_amd6 Created opensearch keystore in /etc/wazuh-indexer/ Processing triggers for libc-bin (2.35-0ubuntu3.1) NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 05/03/2024 15:51:06 INFO: Wazuh indexer installation finished. 05/03/2024 15:51:06 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:51:06 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service. 05/03/2024 15:51:31 INFO: wazuh-indexer service started. 05/03/2024 15:51:31 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 05/03/2024 15:51:42 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:51:42 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:51:42 INFO: --- Wazuh server --- 05/03/2024 15:51:42 INFO: Starting the Wazuh manager installation. Reading package lists... Building dependency tree... Reading state information... Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 172 not upgraded. Need to get 308 MB of archives. After this operation, 911 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.8.0-1 [308 MB] Fetched 308 MB in 5s (62.2 MB/s) Selecting previously unselected p(Reading database ... 65472 files and directories c Preparing to unpack .../wazuh-manager_4.8.0-1_amd6 NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 05/03/2024 15:53:25 INFO: Wazuh manager installation finished. 05/03/2024 15:53:26 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:53:26 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service. 05/03/2024 15:53:50 INFO: wazuh-manager service started. 05/03/2024 15:53:50 INFO: Starting Filebeat installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 172 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 2s (14.5 MB/s) Selecting previo(Reading database ... 87504 files and directories c Preparing to unpack .../filebeat_7.10.2_amd64.deb NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 05/03/2024 15:54:11 INFO: Filebeat installation finished. wazuh/ wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/module.yml Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 05/03/2024 15:54:13 INFO: Filebeat post-install configuration finished. 05/03/2024 15:54:13 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service. 05/03/2024 15:54:15 INFO: filebeat service started. 05/03/2024 15:54:15 INFO: --- Wazuh dashboard --- 05/03/2024 15:54:15 INFO: Starting Wazuh dashboard installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 172 not upgraded. Need to get 186 MB of archives. After this operation, 987 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.8.0-1 [186 MB] Fetched 186 MB in 6s (30.1 MB/s) Selec(Reading database ... 87823 files and directories c Preparing to unpack .../wazuh-dashboard_4.8.0-1_am NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 05/03/2024 15:56:31 INFO: Wazuh dashboard installation finished. 05/03/2024 15:56:31 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:56:31 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 05/03/2024 15:56:32 INFO: wazuh-dashboard service started. 05/03/2024 15:56:35 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 05/03/2024 15:56:44 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ubuntu Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 05/03/2024 15:57:51 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:57:52 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:08 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:23 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:58:23 INFO: Installation finished. root@ip-172-31-32-170:/home/ubuntu# ```

RHEL 9 :yellow_circle:

The RHEL9 system (4GB of RAM) failed on a first test because it did not have the enough free RAM memory. Known issue: https://github.com/wazuh/wazuh-packages/issues/2119 :yellow_circle:

[root@ip-172-31-36-46 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a
05/03/2024 15:48:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
05/03/2024 15:48:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log
05/03/2024 15:48:41 INFO: --- Dependencies ---
05/03/2024 15:48:41 INFO: Installing lsof.
05/03/2024 15:48:58 INFO: Verifying that your system meets the recommended minimum hardware requirements.
05/03/2024 15:48:58 ERROR: Your system does not meet the recommended minimum hardware requirements of 4Gb of RAM and 2 CPU cores. If you want to proceed with the installation use the -i option to ignore these requirements.
[root@ip-172-31-36-46 ec2-user]# 

Using the -i option solves the problem:

Log in the console:

```shellsession [root@ip-172-31-36-46 ec2-user]# bash wazuh-install.sh -a -i 05/03/2024 15:49:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:49:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log 05/03/2024 15:49:25 WARNING: Hardware and system checks ignored. 05/03/2024 15:49:25 INFO: Wazuh web interface port will be 443. 05/03/2024 15:49:28 INFO: Wazuh development repository added. 05/03/2024 15:49:28 INFO: --- Configuration files --- 05/03/2024 15:49:28 INFO: Generating configuration files. 05/03/2024 15:49:28 INFO: Generating the root certificate. 05/03/2024 15:49:29 INFO: Generating Admin certificates. 05/03/2024 15:49:29 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:49:30 INFO: Generating Filebeat certificates. 05/03/2024 15:49:31 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:49:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:49:32 INFO: --- Wazuh indexer --- 05/03/2024 15:49:32 INFO: Starting Wazuh indexer installation. 05/03/2024 15:51:39 INFO: Wazuh indexer installation finished. 05/03/2024 15:51:39 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:51:39 INFO: Starting service wazuh-indexer. 05/03/2024 15:52:04 INFO: wazuh-indexer service started. 05/03/2024 15:52:04 INFO: Initializing Wazuh indexer cluster security settings. 05/03/2024 15:52:15 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:52:15 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:52:15 INFO: --- Wazuh server --- 05/03/2024 15:52:15 INFO: Starting the Wazuh manager installation. 05/03/2024 15:53:42 INFO: Wazuh manager installation finished. 05/03/2024 15:53:42 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:53:42 INFO: Starting service wazuh-manager. 05/03/2024 15:54:01 INFO: wazuh-manager service started. 05/03/2024 15:54:01 INFO: Starting Filebeat installation. 05/03/2024 15:54:20 INFO: Filebeat installation finished. 05/03/2024 15:54:22 INFO: Filebeat post-install configuration finished. 05/03/2024 15:54:22 INFO: Starting service filebeat. 05/03/2024 15:54:24 INFO: filebeat service started. 05/03/2024 15:54:24 INFO: --- Wazuh dashboard --- 05/03/2024 15:54:24 INFO: Starting Wazuh dashboard installation. 05/03/2024 15:56:59 INFO: Wazuh dashboard installation finished. 05/03/2024 15:56:59 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:56:59 INFO: Starting service wazuh-dashboard. 05/03/2024 15:57:00 INFO: wazuh-dashboard service started. 05/03/2024 15:57:04 INFO: Updating the internal users. 05/03/2024 15:57:12 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 05/03/2024 15:58:20 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:58:21 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:37 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:52 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:58:52 INFO: --- Summary --- 05/03/2024 15:58:52 INFO: You can access the web interface https://:443 User: admin Password: gkiNB1zmp+m+NHCyKwDapIE+N16VNY5b 05/03/2024 15:58:52 INFO: Installation finished. [root@ip-172-31-36-46 ec2-user]# ```

Log in wazuh-install.log

```shellsession [root@ip-172-31-36-46 ec2-user]# cat /var/log/wazuh-install.log 05/03/2024 15:49:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/03/2024 15:49:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. 0 files removed 05/03/2024 15:49:25 WARNING: Hardware and system checks ignored. 05/03/2024 15:49:25 INFO: Wazuh web interface port will be 443. [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-${releasever} - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 05/03/2024 15:49:28 INFO: Wazuh development repository added. 05/03/2024 15:49:28 INFO: --- Configuration files --- 05/03/2024 15:49:28 INFO: Generating configuration files. 05/03/2024 15:49:28 INFO: Generating the root certificate. 05/03/2024 15:49:29 INFO: Generating Admin certificates. 05/03/2024 15:49:29 INFO: Generating Wazuh indexer certificates. 05/03/2024 15:49:30 INFO: Generating Filebeat certificates. 05/03/2024 15:49:31 INFO: Generating Wazuh dashboard certificates. 05/03/2024 15:49:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/03/2024 15:49:32 INFO: --- Wazuh indexer --- 05/03/2024 15:49:32 INFO: Starting Wazuh indexer installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Red Hat Enterprise Linux 9 for x86_64 - AppStre 60 MB/s | 29 MB 00:00 Red Hat Enterprise Linux 9 for x86_64 - BaseOS 58 MB/s | 17 MB 00:00 Red Hat Enterprise Linux 9 Client Configuration 21 kB/s | 2.2 kB 00:00 EL-9 - Wazuh 20 MB/s | 24 MB 00:01 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ================================================================================ Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading Packages: wazuh-indexer-4.8.0-1.x86_64.rpm 105 MB/s | 743 MB 00:07 -------------------------------------------------------------------------------- Total 105 MB/s | 743 MB 00:07 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-indexer-4.8.0-1.x86_64 Complete! 05/03/2024 15:51:39 INFO: Wazuh indexer installation finished. 05/03/2024 15:51:39 INFO: Wazuh indexer post-install configuration finished. 05/03/2024 15:51:39 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. 05/03/2024 15:52:04 INFO: wazuh-indexer service started. 05/03/2024 15:52:04 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 05/03/2024 15:52:15 INFO: Wazuh indexer cluster security configuration initialized. 05/03/2024 15:52:15 INFO: Wazuh indexer cluster initialized. 05/03/2024 15:52:15 INFO: --- Wazuh server --- 05/03/2024 15:52:15 INFO: Starting the Wazuh manager installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:02:27 ago on Tue 05 Mar 2024 03:49:49 PM UTC. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-manager x86_64 4.8.0-1 wazuh 290 M Transaction Summary ================================================================================ Install 1 Package Total download size: 290 M Installed size: 878 M Downloading Packages: wazuh-manager-4.8.0-1.x86_64.rpm 156 MB/s | 290 MB 00:01 -------------------------------------------------------------------------------- Total 156 MB/s | 290 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.8.0-1.x86_64 Complete! 05/03/2024 15:53:42 INFO: Wazuh manager installation finished. 05/03/2024 15:53:42 INFO: Wazuh manager vulnerability detection configuration finished. 05/03/2024 15:53:42 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. 05/03/2024 15:54:01 INFO: wazuh-manager service started. 05/03/2024 15:54:01 INFO: Starting Filebeat installation. Installed: filebeat-7.10.2-1.x86_64 05/03/2024 15:54:20 INFO: Filebeat installation finished. wazuh/ wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/module.yml Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 05/03/2024 15:54:22 INFO: Filebeat post-install configuration finished. 05/03/2024 15:54:22 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. 05/03/2024 15:54:24 INFO: filebeat service started. 05/03/2024 15:54:24 INFO: --- Wazuh dashboard --- 05/03/2024 15:54:24 INFO: Starting Wazuh dashboard installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:04:39 ago on Tue 05 Mar 2024 03:49:49 PM UTC. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-dashboard x86_64 4.8.0-1 wazuh 273 M Transaction Summary ================================================================================ Install 1 Package Total download size: 273 M Installed size: 902 M Downloading Packages: wazuh-dashboard-4.8.0-1.x86_64.rpm 39 MB/s | 273 MB 00:06 -------------------------------------------------------------------------------- Total 39 MB/s | 273 MB 00:06 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Installing : wazuh-dashboard-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-dashboard-4.8.0-1.x86_64 Complete! 05/03/2024 15:56:59 INFO: Wazuh dashboard installation finished. 05/03/2024 15:56:59 INFO: Wazuh dashboard post-install configuration finished. 05/03/2024 15:56:59 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 05/03/2024 15:57:00 INFO: wazuh-dashboard service started. 05/03/2024 15:57:04 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 05/03/2024 15:57:12 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ec2-user Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 05/03/2024 15:58:20 INFO: Initializing Wazuh dashboard web application. 05/03/2024 15:58:21 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:37 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/03/2024 15:58:52 INFO: Wazuh dashboard web application initialized. 05/03/2024 15:58:52 INFO: Installation finished. [root@ip-172-31-36-46 ec2-user]# ```

[davidcr01]

Installed packages :green_circle:

Amazon Linux 2 :green_circle:

[root@ip-172-31-34-139 ec2-user]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                Tue 05 Mar 2024 03:54:12 PM UTC
filebeat-7.10.2-1.x86_64                      Tue 05 Mar 2024 03:52:27 PM UTC
wazuh-manager-4.8.0-1.x86_64                  Tue 05 Mar 2024 03:51:34 PM UTC
wazuh-indexer-4.8.0-1.x86_64                  Tue 05 Mar 2024 03:50:11 PM UTC
gpg-pubkey-29111145-591cd381                  Tue 05 Mar 2024 03:48:40 PM UTC

• The gpg package is installed. It is part from the dependency set of the Installation Assistant, used to import the Wazuh GPG keys.

Ubuntu 22 :green_circle:

root@ip-172-31-32-170:/home/ubuntu# grep " install " /var/log/dpkg.log | tail
2024-03-05 15:49:01 install apt-transport-https:all <none> 2.4.11
2024-03-05 15:49:29 install wazuh-indexer:amd64 <none> 4.8.0-1
2024-03-05 15:51:49 install wazuh-manager:amd64 <none> 4.8.0-1
2024-03-05 15:53:54 install filebeat:amd64 <none> 7.10.2
2024-03-05 15:54:24 install wazuh-dashboard:amd64 <none> 4.8.0-1

• The apt-transport-https package is installed. It is part from the dependency set of the Installation Assistant, used to download packages from repositories that use HTTPS protocol via APT.

RHEL 9 :green_circle:

[root@ip-172-31-36-46 ec2-user]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                Tue 05 Mar 2024 03:56:49 PM UTC
filebeat-7.10.2-1.x86_64                      Tue 05 Mar 2024 03:54:09 PM UTC
wazuh-manager-4.8.0-1.x86_64                  Tue 05 Mar 2024 03:53:04 PM UTC
wazuh-indexer-4.8.0-1.x86_64                  Tue 05 Mar 2024 03:51:32 PM UTC
gpg-pubkey-29111145-591cd381                  Tue 05 Mar 2024 03:49:28 PM UTC

• The gpg package is installed. It is part from the dependency set of the Installation Assistant, used to import the Wazuh GPG keys.

[davidcr01]

Wazuh indexer logs :yellow_circle:

:yellow_circle: In the wazuh-cluster.log file, it has been detected again the following warning: Authentication finally failed for admin from 127.0.0.1:53884. Related: https://github.com/wazuh/wazuh-indexer/issues/167. After a while, the warnings are not generated anymore for unknown reasons. This behavior may be related to https://github.com/wazuh/wazuh/issues/21829, when the IndexerConnector finally initializes.

Amazon Linux 2 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-34-139 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2024-03-05 15:50:48 UTC; 20min ago Docs: https://documentation.wazuh.com Main PID: 4886 (java) CGroup: /system.slice/wazuh-indexer.service └─4886 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTo... Mar 05 15:50:27 ip-172-31-34-139.ec2.internal systemd[1]: Starting Wazuh-indexer... Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file...0.0.jar) Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/...0.0.jar) Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:50:48 ip-172-31-34-139.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-34-139 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-34-139 ec2-user]# journalctl -xe -u wazuh-indexer.service --no-pager -- Logs begin at Tue 2024-03-05 10:34:47 UTC, end at Tue 2024-03-05 16:11:23 UTC. -- Mar 05 15:50:27 ip-172-31-34-139.ec2.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:50:29 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:50:32 ip-172-31-34-139.ec2.internal systemd-entrypoint[4886]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:50:48 ip-172-31-34-139.ec2.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. [root@ip-172-31-34-139 ec2-user]# ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 :yellow_circle: Related: https://github.com/wazuh/wazuh-indexer/issues/167 ```shellsession [root@ip-172-31-34-139 ec2-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-03-05T15:50:32,094][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1931m, -Xmx1931m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10406856579047660309, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1012924416, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-03-05T15:50:43,376][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-03-05T15:50:43,429][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-03-05T15:50:43,431][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-03-05T15:50:44,757][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-03-05T15:50:46,733][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-03-05T15:50:48,538][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-03-05T15:50:48,634][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,635][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,635][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,635][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,636][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,636][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,636][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,636][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,637][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:48,637][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:50:49,063][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-03-05T15:55:25,633][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:48996 [2024-03-05T15:55:28,155][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:49702 [2024-03-05T15:55:29,869][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:49718 [2024-03-05T15:55:32,828][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:49718 [2024-03-05T15:55:33,783][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:49730 [2024-03-05T15:55:35,512][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:49718 [root@ip-172-31-34-139 ec2-user]# ```

Ubuntu 22 :yellow_circle:

Agent status

```shellsession ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-03-05 15:51:31 UTC; 19min ago Docs: https://documentation.wazuh.com Main PID: 4625 (java) Tasks: 73 (limit: 4632) Memory: 2.2G CPU: 1min 44.001s CGroup: /system.slice/wazuh-indexer.service └─4625 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.head> Mar 05 15:51:06 ip-172-31-32-170 systemd[1]: Starting Wazuh-indexer... Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.j> Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:31 ip-172-31-32-170 systemd[1]: Started Wazuh-indexer. ~ ~ lines 1-21/21 (END) ```

Service status

```shellsession root@ip-172-31-32-170:/home/ubuntu# journalctl -xe -u wazuh-indexer.service --no-pager Mar 05 15:51:06 ip-172-31-32-170 systemd[1]: Starting Wazuh-indexer... ░░ Subject: A start job for unit wazuh-indexer.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-indexer.service has begun execution. ░░ ░░ The job identifier is 2582. Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:51:09 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:51:12 ip-172-31-32-170 systemd-entrypoint[4625]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:31 ip-172-31-32-170 systemd[1]: Started Wazuh-indexer. ░░ Subject: A start job for unit wazuh-indexer.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-indexer.service has finished successfully. ░░ ░░ The job identifier is 2582. ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 :yellow_circle: Related issue: https://github.com/wazuh/wazuh-indexer/issues/71 `Fail to read queue capacity via reflection` :yellow_circle: Related: https://github.com/wazuh/wazuh-indexer/issues/167 ```shellsession root@ip-172-31-32-170:/home/ubuntu# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-03-05T15:51:12,092][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1937m, -Xmx1937m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6218923404816693091, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=1016070144, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-03-05T15:51:24,748][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-03-05T15:51:24,813][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-03-05T15:51:24,815][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-03-05T15:51:26,309][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-03-05T15:51:27,245][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,277][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,278][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,278][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,278][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,279][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,279][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,280][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,280][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,280][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,281][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,282][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,282][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,283][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,283][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,284][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,304][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,319][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,320][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,320][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,321][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,321][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,321][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,322][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,322][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,322][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,323][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,323][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,323][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,324][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,324][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,324][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,325][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,337][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,338][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:27,339][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-03-05T15:51:28,939][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-03-05T15:51:31,098][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-03-05T15:51:31,698][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-03-05T15:51:32,176][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,177][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,179][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,179][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,182][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,182][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,183][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,183][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,201][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:51:32,204][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:57:31,740][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53874 [2024-03-05T15:57:33,063][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53880 [2024-03-05T15:57:34,421][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53880 [2024-03-05T15:57:34,436][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53884 [2024-03-05T15:57:38,129][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53880 [2024-03-05T15:57:39,419][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:56890 root@ip-172-31-32-170:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled) Active: active (running) since Tue 2024-03-05 15:52:04 UTC; 19min ago Docs: https://documentation.wazuh.com Main PID: 15631 (java) Tasks: 68 (limit: 22632) Memory: 2.1G CPU: 1min 29.994s CGroup: /system.slice/wazuh-indexer.service └─15631 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.hea> Mar 05 15:51:40 ip-172-31-36-46.ec2.internal systemd[1]: Starting Wazuh-indexer... Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opense> Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensear> Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:52:04 ip-172-31-36-46.ec2.internal systemd[1]: Started Wazuh-indexer. ~ ~ lines 1-21/21 (END) ```

Service status

```shellsession [root@ip-172-31-36-46 ec2-user]# journalctl -xe -u wazuh-indexer.service --no-pager Mar 05 15:51:40 ip-172-31-36-46.ec2.internal systemd[1]: Starting Wazuh-indexer... ░░ Subject: A start job for unit wazuh-indexer.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-indexer.service has begun execution. ░░ ░░ The job identifier is 6659. Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 05 15:51:43 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 05 15:51:45 ip-172-31-36-46.ec2.internal systemd-entrypoint[15631]: WARNING: System::setSecurityManager will be removed in a future release Mar 05 15:52:04 ip-172-31-36-46.ec2.internal systemd[1]: Started Wazuh-indexer. ░░ Subject: A start job for unit wazuh-indexer.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-indexer.service has finished successfully. ░░ ░░ The job identifier is 6659. [root@ip-172-31-36-46 ec2-user]# ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 :yellow_circle: Related: https://github.com/wazuh/wazuh-indexer/issues/167 ```shellsession [root@ip-172-31-36-46 ec2-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-03-05T15:51:45,773][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1807m, -Xmx1807m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-3812886053180548731, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=947912704, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-03-05T15:51:58,609][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-03-05T15:51:58,672][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-03-05T15:51:58,677][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-03-05T15:52:00,308][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-03-05T15:52:02,602][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-03-05T15:52:04,525][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-03-05T15:52:04,651][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,651][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,651][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,652][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,652][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,652][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,652][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,664][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,665][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:04,665][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-03-05T15:52:05,036][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-03-05T15:57:57,701][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:35358 [2024-03-05T15:58:00,226][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:35360 [2024-03-05T15:58:05,270][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:35376 [2024-03-05T15:58:10,207][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53268 [2024-03-05T15:58:12,174][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:53268 [root@ip-172-31-36-46 ec2-user]# ```

[davidcr01]

Wazuh manager logs :yellow_circle:

Amazon Linux 2 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-34-139 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2024-03-05 15:55:27 UTC; 33min ago CGroup: /system.slice/wazuh-manager.service ├─9601 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9602 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9605 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9608 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9652 /var/ossec/bin/wazuh-authd ├─9669 /var/ossec/bin/wazuh-db ├─9694 /var/ossec/bin/wazuh-execd ├─9710 /var/ossec/bin/wazuh-analysisd ├─9723 /var/ossec/bin/wazuh-syscheckd ├─9771 /var/ossec/bin/wazuh-remoted ├─9806 /var/ossec/bin/wazuh-logcollector ├─9825 /var/ossec/bin/wazuh-monitord └─9850 /var/ossec/bin/wazuh-modulesd Mar 05 15:55:20 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-analysisd... Mar 05 15:55:21 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-syscheckd... Mar 05 15:55:22 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-remoted... Mar 05 15:55:23 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-logcollector... Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-monitord... Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:24 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:24 wazuh-modulesd:content_manager: INFO: Loaded content...dule. Mar 05 15:55:25 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-modulesd... Mar 05 15:55:27 ip-172-31-34-139.ec2.internal env[9541]: Completed. Mar 05 15:55:27 ip-172-31-34-139.ec2.internal systemd[1]: Started Wazuh manager. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-34-139 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-34-139 ec2-user]# journalctl -xe -u wazuh-manager.service --no-pager -- Logs begin at Tue 2024-03-05 10:34:47 UTC, end at Tue 2024-03-05 16:29:00 UTC. -- Mar 05 15:51:52 ip-172-31-34-139.ec2.internal systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Mar 05 15:51:53 ip-172-31-34-139.ec2.internal env[6247]: 2024/03/05 15:51:53 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:51:53 ip-172-31-34-139.ec2.internal env[6247]: 2024/03/05 15:51:53 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:51:54 ip-172-31-34-139.ec2.internal env[6247]: Starting Wazuh v4.8.0... Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-apid... Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-csyslogd... Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-dbd... Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: 2024/03/05 15:51:57 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-integratord... Mar 05 15:51:57 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-agentlessd... Mar 05 15:51:58 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-authd... Mar 05 15:51:59 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-db... Mar 05 15:52:00 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-execd... Mar 05 15:52:01 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-analysisd... Mar 05 15:52:02 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-syscheckd... Mar 05 15:52:03 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-remoted... Mar 05 15:52:04 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-logcollector... Mar 05 15:52:06 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-monitord... Mar 05 15:52:06 ip-172-31-34-139.ec2.internal env[6247]: 2024/03/05 15:52:06 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:52:06 ip-172-31-34-139.ec2.internal env[6247]: 2024/03/05 15:52:06 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:52:07 ip-172-31-34-139.ec2.internal env[6247]: Started wazuh-modulesd... Mar 05 15:52:09 ip-172-31-34-139.ec2.internal env[6247]: Completed. Mar 05 15:52:09 ip-172-31-34-139.ec2.internal systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. Mar 05 15:54:58 ip-172-31-34-139.ec2.internal systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Mar 05 15:54:58 ip-172-31-34-139.ec2.internal env[9245]: wazuh-clusterd not running... Mar 05 15:54:58 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-modulesd... Mar 05 15:55:06 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-monitord... Mar 05 15:55:06 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-logcollector... Mar 05 15:55:06 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-remoted... Mar 05 15:55:06 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-syscheckd... Mar 05 15:55:07 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-analysisd... Mar 05 15:55:07 ip-172-31-34-139.ec2.internal env[9245]: wazuh-maild not running... Mar 05 15:55:07 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-execd... Mar 05 15:55:07 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-db... Mar 05 15:55:08 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-authd... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: wazuh-agentlessd not running... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: wazuh-integratord not running... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: wazuh-dbd not running... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: wazuh-csyslogd not running... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: Killing wazuh-apid... Mar 05 15:55:09 ip-172-31-34-139.ec2.internal env[9245]: Wazuh v4.8.0 Stopped Mar 05 15:55:09 ip-172-31-34-139.ec2.internal systemd[1]: Stopped Wazuh manager. -- Subject: Unit wazuh-manager.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished shutting down. Mar 05 15:55:09 ip-172-31-34-139.ec2.internal systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Mar 05 15:55:12 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:12 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:55:12 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:12 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:55:12 ip-172-31-34-139.ec2.internal env[9541]: Starting Wazuh v4.8.0... Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-apid... Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-csyslogd... Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-dbd... Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:15 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-integratord... Mar 05 15:55:15 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-agentlessd... Mar 05 15:55:17 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-authd... Mar 05 15:55:18 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-db... Mar 05 15:55:19 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-execd... Mar 05 15:55:20 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-analysisd... Mar 05 15:55:21 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-syscheckd... Mar 05 15:55:22 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-remoted... Mar 05 15:55:23 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-logcollector... Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-monitord... Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:24 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:55:24 ip-172-31-34-139.ec2.internal env[9541]: 2024/03/05 15:55:24 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:55:25 ip-172-31-34-139.ec2.internal env[9541]: Started wazuh-modulesd... Mar 05 15:55:27 ip-172-31-34-139.ec2.internal env[9541]: Completed. Mar 05 15:55:27 ip-172-31-34-139.ec2.internal systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. [root@ip-172-31-34-139 ec2-user]# ```

:yellow_circle: Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 ```shellsession [root@ip-172-31-34-139 ec2-user]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/03/05 15:52:06 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 2 seconds. 2024/03/05 15:52:08 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 4 seconds. 2024/03/05 15:52:12 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 8 seconds. 2024/03/05 15:52:20 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 16 seconds. 2024/03/05 15:52:36 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 32 seconds. 2024/03/05 15:55:25 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 2 seconds. 2024/03/05 15:55:28 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 4 seconds. 2024/03/05 15:55:33 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 8 seconds. [root@ip-172-31-34-139 ec2-user]# ```

Ubuntu 22 :yellow_circle:

Agent status

```shellsession ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-03-05 15:57:33 UTC; 31min ago Tasks: 151 (limit: 4632) Memory: 517.0M CPU: 52.517s CGroup: /system.slice/wazuh-manager.service ├─53154 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─53155 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─53158 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─53161 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─53203 /var/ossec/bin/wazuh-authd ├─53219 /var/ossec/bin/wazuh-db ├─53244 /var/ossec/bin/wazuh-execd ├─53258 /var/ossec/bin/wazuh-analysisd ├─53271 /var/ossec/bin/wazuh-syscheckd ├─53318 /var/ossec/bin/wazuh-remoted ├─53352 /var/ossec/bin/wazuh-logcollector ├─53371 /var/ossec/bin/wazuh-monitord └─53394 /var/ossec/bin/wazuh-modulesd Mar 05 15:57:26 ip-172-31-32-170 env[53097]: Started wazuh-analysisd... Mar 05 15:57:27 ip-172-31-32-170 env[53097]: Started wazuh-syscheckd... lines 1-23 ```

Service status

```shellsession root@ip-172-31-32-170:/home/ubuntu# journalctl -xe -u wazuh-manager.service --no-pager Mar 05 15:53:26 ip-172-31-32-170 systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 2930. Mar 05 15:53:31 ip-172-31-32-170 env[49651]: 2024/03/05 15:53:31 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:53:31 ip-172-31-32-170 env[49651]: 2024/03/05 15:53:31 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:53:32 ip-172-31-32-170 env[49601]: Starting Wazuh v4.8.0... Mar 05 15:53:38 ip-172-31-32-170 env[49601]: Started wazuh-apid... Mar 05 15:53:38 ip-172-31-32-170 env[49601]: Started wazuh-csyslogd... Mar 05 15:53:38 ip-172-31-32-170 env[49601]: Started wazuh-dbd... Mar 05 15:53:38 ip-172-31-32-170 env[49697]: 2024/03/05 15:53:38 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:53:38 ip-172-31-32-170 env[49601]: Started wazuh-integratord... Mar 05 15:53:38 ip-172-31-32-170 env[49601]: Started wazuh-agentlessd... Mar 05 15:53:39 ip-172-31-32-170 env[49601]: Started wazuh-authd... Mar 05 15:53:40 ip-172-31-32-170 env[49601]: Started wazuh-db... Mar 05 15:53:41 ip-172-31-32-170 env[49601]: Started wazuh-execd... Mar 05 15:53:42 ip-172-31-32-170 env[49601]: Started wazuh-analysisd... Mar 05 15:53:43 ip-172-31-32-170 env[49601]: Started wazuh-syscheckd... Mar 05 15:53:45 ip-172-31-32-170 env[49601]: Started wazuh-remoted... Mar 05 15:53:46 ip-172-31-32-170 env[49601]: Started wazuh-logcollector... Mar 05 15:53:47 ip-172-31-32-170 env[49601]: Started wazuh-monitord... Mar 05 15:53:47 ip-172-31-32-170 env[49923]: 2024/03/05 15:53:47 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:53:47 ip-172-31-32-170 env[49923]: 2024/03/05 15:53:47 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:53:48 ip-172-31-32-170 env[49601]: Started wazuh-modulesd... Mar 05 15:53:50 ip-172-31-32-170 env[49601]: Completed. Mar 05 15:53:50 ip-172-31-32-170 systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 2930. Mar 05 15:57:02 ip-172-31-32-170 systemd[1]: Stopping Wazuh manager... ░░ Subject: A stop job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 4066. Mar 05 15:57:02 ip-172-31-32-170 env[52763]: wazuh-clusterd not running... Mar 05 15:57:02 ip-172-31-32-170 env[52763]: Killing wazuh-modulesd... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-monitord... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-logcollector... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-remoted... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-syscheckd... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-analysisd... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: wazuh-maild not running... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-execd... Mar 05 15:57:13 ip-172-31-32-170 env[52763]: Killing wazuh-db... Mar 05 15:57:14 ip-172-31-32-170 env[52763]: Killing wazuh-authd... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: wazuh-agentlessd not running... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: wazuh-integratord not running... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: wazuh-dbd not running... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: wazuh-csyslogd not running... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: Killing wazuh-apid... Mar 05 15:57:15 ip-172-31-32-170 env[52763]: Wazuh v4.8.0 Stopped Mar 05 15:57:15 ip-172-31-32-170 systemd[1]: wazuh-manager.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-manager.service has successfully entered the 'dead' state. Mar 05 15:57:15 ip-172-31-32-170 systemd[1]: Stopped Wazuh manager. ░░ Subject: A stop job for unit wazuh-manager.service has finished ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-manager.service has finished. ░░ ░░ The job identifier is 4066 and the job result is done. Mar 05 15:57:15 ip-172-31-32-170 systemd[1]: wazuh-manager.service: Consumed 1min 38.161s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-manager.service completed and consumed the indicated resources. Mar 05 15:57:15 ip-172-31-32-170 systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 4066. Mar 05 15:57:18 ip-172-31-32-170 env[53128]: 2024/03/05 15:57:18 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:57:18 ip-172-31-32-170 env[53128]: 2024/03/05 15:57:18 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:57:18 ip-172-31-32-170 env[53097]: Starting Wazuh v4.8.0... Mar 05 15:57:22 ip-172-31-32-170 env[53097]: Started wazuh-apid... Mar 05 15:57:22 ip-172-31-32-170 env[53097]: Started wazuh-csyslogd... Mar 05 15:57:22 ip-172-31-32-170 env[53097]: Started wazuh-dbd... Mar 05 15:57:22 ip-172-31-32-170 env[53182]: 2024/03/05 15:57:22 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:57:22 ip-172-31-32-170 env[53097]: Started wazuh-integratord... Mar 05 15:57:22 ip-172-31-32-170 env[53097]: Started wazuh-agentlessd... Mar 05 15:57:23 ip-172-31-32-170 env[53097]: Started wazuh-authd... Mar 05 15:57:24 ip-172-31-32-170 env[53097]: Started wazuh-db... Mar 05 15:57:25 ip-172-31-32-170 env[53097]: Started wazuh-execd... Mar 05 15:57:26 ip-172-31-32-170 env[53097]: Started wazuh-analysisd... Mar 05 15:57:27 ip-172-31-32-170 env[53097]: Started wazuh-syscheckd... Mar 05 15:57:28 ip-172-31-32-170 env[53097]: Started wazuh-remoted... Mar 05 15:57:29 ip-172-31-32-170 env[53097]: Started wazuh-logcollector... Mar 05 15:57:30 ip-172-31-32-170 env[53097]: Started wazuh-monitord... Mar 05 15:57:30 ip-172-31-32-170 env[53390]: 2024/03/05 15:57:30 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:57:30 ip-172-31-32-170 env[53390]: 2024/03/05 15:57:30 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:57:31 ip-172-31-32-170 env[53097]: Started wazuh-modulesd... Mar 05 15:57:33 ip-172-31-32-170 env[53097]: Completed. Mar 05 15:57:33 ip-172-31-32-170 systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 4066. root@ip-172-31-32-170:/home/ubuntu# ```

:yellow_circle: Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 ```shellsession root@ip-172-31-32-170:/home/ubuntu# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/03/05 15:53:47 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 2 seconds. 2024/03/05 15:53:49 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 4 seconds. 2024/03/05 15:53:53 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 8 seconds. 2024/03/05 15:54:01 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 16 seconds. 2024/03/05 15:57:31 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 2 seconds. 2024/03/05 15:57:34 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 4 seconds. 2024/03/05 15:57:39 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 8 seconds. root@ip-172-31-32-170:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Tue 2024-03-05 15:57:59 UTC; 30min ago Tasks: 150 (limit: 22632) Memory: 567.4M CPU: 44.677s CGroup: /system.slice/wazuh-manager.service ├─20360 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20361 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20364 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20367 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20410 /var/ossec/bin/wazuh-authd ├─20428 /var/ossec/bin/wazuh-db ├─20454 /var/ossec/bin/wazuh-execd ├─20469 /var/ossec/bin/wazuh-analysisd ├─20481 /var/ossec/bin/wazuh-syscheckd ├─20530 /var/ossec/bin/wazuh-remoted ├─20565 /var/ossec/bin/wazuh-logcollector ├─20585 /var/ossec/bin/wazuh-monitord └─20610 /var/ossec/bin/wazuh-modulesd Mar 05 15:57:52 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-analysisd... Mar 05 15:57:53 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-syscheckd... lines 1-23 ```

Service status

```shellsession [root@ip-172-31-36-46 ec2-user]# journalctl -xe -u wazuh-manager.service --no-pager Mar 05 15:53:43 ip-172-31-36-46.ec2.internal systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 6750. Mar 05 15:53:45 ip-172-31-36-46.ec2.internal env[17027]: 2024/03/05 15:53:45 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:53:45 ip-172-31-36-46.ec2.internal env[17027]: 2024/03/05 15:53:45 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:53:46 ip-172-31-36-46.ec2.internal env[16997]: Starting Wazuh v4.8.0... Mar 05 15:53:49 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-apid... Mar 05 15:53:50 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-csyslogd... Mar 05 15:53:50 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-dbd... Mar 05 15:53:50 ip-172-31-36-46.ec2.internal env[17073]: 2024/03/05 15:53:50 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:53:50 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-integratord... Mar 05 15:53:50 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-agentlessd... Mar 05 15:53:51 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-authd... Mar 05 15:53:52 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-db... Mar 05 15:53:53 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-execd... Mar 05 15:53:54 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-analysisd... Mar 05 15:53:55 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-syscheckd... Mar 05 15:53:56 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-remoted... Mar 05 15:53:57 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-logcollector... Mar 05 15:53:58 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-monitord... Mar 05 15:53:58 ip-172-31-36-46.ec2.internal env[17296]: 2024/03/05 15:53:58 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:53:58 ip-172-31-36-46.ec2.internal env[17296]: 2024/03/05 15:53:58 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:53:59 ip-172-31-36-46.ec2.internal env[16997]: Started wazuh-modulesd... Mar 05 15:54:01 ip-172-31-36-46.ec2.internal env[16997]: Completed. Mar 05 15:54:01 ip-172-31-36-46.ec2.internal systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 6750. Mar 05 15:57:28 ip-172-31-36-46.ec2.internal systemd[1]: Stopping Wazuh manager... ░░ Subject: A stop job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 7193. Mar 05 15:57:28 ip-172-31-36-46.ec2.internal env[19973]: wazuh-clusterd not running... Mar 05 15:57:28 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-modulesd... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-monitord... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-logcollector... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-remoted... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-syscheckd... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-analysisd... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: wazuh-maild not running... Mar 05 15:57:39 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-execd... Mar 05 15:57:40 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-db... Mar 05 15:57:40 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-authd... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: wazuh-agentlessd not running... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: wazuh-integratord not running... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: wazuh-dbd not running... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: wazuh-csyslogd not running... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: Killing wazuh-apid... Mar 05 15:57:41 ip-172-31-36-46.ec2.internal env[19973]: Wazuh v4.8.0 Stopped Mar 05 15:57:41 ip-172-31-36-46.ec2.internal systemd[1]: wazuh-manager.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-manager.service has successfully entered the 'dead' state. Mar 05 15:57:41 ip-172-31-36-46.ec2.internal systemd[1]: Stopped Wazuh manager. ░░ Subject: A stop job for unit wazuh-manager.service has finished ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-manager.service has finished. ░░ ░░ The job identifier is 7193 and the job result is done. Mar 05 15:57:41 ip-172-31-36-46.ec2.internal systemd[1]: wazuh-manager.service: Consumed 1min 20.981s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-manager.service completed and consumed the indicated resources. Mar 05 15:57:41 ip-172-31-36-46.ec2.internal systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 7193. Mar 05 15:57:44 ip-172-31-36-46.ec2.internal env[20334]: 2024/03/05 15:57:44 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:57:44 ip-172-31-36-46.ec2.internal env[20334]: 2024/03/05 15:57:44 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:57:44 ip-172-31-36-46.ec2.internal env[20304]: Starting Wazuh v4.8.0... Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-apid... Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-csyslogd... Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-dbd... Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20389]: 2024/03/05 15:57:48 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-integratord... Mar 05 15:57:48 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-agentlessd... Mar 05 15:57:49 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-authd... Mar 05 15:57:50 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-db... Mar 05 15:57:51 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-execd... Mar 05 15:57:52 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-analysisd... Mar 05 15:57:53 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-syscheckd... Mar 05 15:57:54 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-remoted... Mar 05 15:57:55 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-logcollector... Mar 05 15:57:56 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-monitord... Mar 05 15:57:56 ip-172-31-36-46.ec2.internal env[20607]: 2024/03/05 15:57:56 wazuh-modulesd:router: INFO: Loaded router module. Mar 05 15:57:56 ip-172-31-36-46.ec2.internal env[20607]: 2024/03/05 15:57:56 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Mar 05 15:57:57 ip-172-31-36-46.ec2.internal env[20304]: Started wazuh-modulesd... Mar 05 15:57:59 ip-172-31-36-46.ec2.internal env[20304]: Completed. Mar 05 15:57:59 ip-172-31-36-46.ec2.internal systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 7193. [root@ip-172-31-36-46 ec2-user]# ```

:yellow_circle: Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 ```shellsession [root@ip-172-31-36-46 ec2-user]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/03/05 15:53:59 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 2 seconds. 2024/03/05 15:54:01 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 4 seconds. 2024/03/05 15:54:05 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 8 seconds. 2024/03/05 15:54:13 indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after 16 seconds. 2024/03/05 15:57:57 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 2 seconds. 2024/03/05 15:58:00 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 4 seconds. 2024/03/05 15:58:05 indexer-connector: WARNING: Error initializing IndexerConnector: HTTP response code said error: 401, we will try again after 8 seconds. [root@ip-172-31-36-46 ec2-user]# ```

[davidcr01]

Wazuh dashboard logs :yellow_circle:

Amazon Linux 2 :green_circle:

Agent status

```shellsession [root@ip-172-31-34-139 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2024-03-05 15:55:29 UTC; 41min ago Main PID: 10597 (node) CGroup: /system.slice/wazuh-dashboard.service └─10597 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/sr... Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"p...bled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"p...bled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-system"],"pi...a,home, Mar 05 15:55:42 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:42Z","tags":["info","savedobjects-service...ns..."} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["info","savedobjects-service...tions"} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["info","plugins-system"],"pi...home,ap Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["listening","info"],"pid":10...0:443"} Mar 05 15:55:44 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:44Z","tags":["info","http","server","Open...0:443"} Mar 05 15:55:46 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T15:55:45Z","tags":[],"pid":10597,"method":"get","... Mar 05 16:26:29 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T16:26:29Z","tags":[],"pid":10597,"method":"get","... Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-34-139 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-34-139 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2024-03-05 15:55:29 UTC; 41min ago Main PID: 10597 (node) CGroup: /system.slice/wazuh-dashboard.service └─10597 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/sr... Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"p...bled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"p...bled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-system"],"pi...a,home, Mar 05 15:55:42 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:42Z","tags":["info","savedobjects-service...ns..."} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["info","savedobjects-service...tions"} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"[root@i[root@ip-1[root@ip-1[root@i[ro[roo[ro[root@ip-172-3[root@ip-172-31-34-139 ec2-user]# clear Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["listening","info"],"pid":10...0:443"} user]#"log","@timestamp":"2024-03-05T15:55:44Z","tags":["info","http","server","Open...0:443"} Mar 05 15:55:46 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T15:55:45Z","tags":[],"pid":10597,"method":"get","... Mar 05 16:26:29 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T16:26:29Z","tags":[],"pid":10597,"method":"get","... Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-34-139[root@ip-172-31-34-1[root@ip-172-31-34-139 ec2[root@ip-172-31-34-1ec2-u[root@ip-172-31-34-139 ec2-use[root@ip-2-31-34-1[root@p-1 [root@ip-172-31-34-139 ec2-user]# journalctl -xe -u wazuh-dashboard.service --no-pager -- Logs begin at Tue 2024-03-05 10:34:47 UTC, end at Tue 2024-03-05 16:37:06 UTC. -- Mar 05 15:54:23 ip-172-31-34-139.ec2.internal systemd[1]: Started wazuh-dashboard. -- Subject: Unit wazuh-dashboard.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has finished starting up. -- -- The start-up result is done. Mar 05 15:54:34 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:34Z","tags":["info","plugins-service"],"pid":8685,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:54:34 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:34Z","tags":["info","plugins-service"],"pid":8685,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:54:34 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:34Z","tags":["info","plugins-service"],"pid":8685,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:54:35 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:35Z","tags":["info","plugins-system"],"pid":8685,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,embeddable,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,dataExplorer,bfetch,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh]"} Mar 05 15:54:36 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:36Z","tags":["info","savedobjects-service"],"pid":8685,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["info","savedobjects-service"],"pid":8685,"message":"Starting saved objects migrations"} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["info","savedobjects-service"],"pid":8685,"message":"Creating index .kibana_1."} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["info","savedobjects-service"],"pid":8685,"message":"Pointing alias .kibana to .kibana_1."} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["info","savedobjects-service"],"pid":8685,"message":"Finished in 231ms."} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["info","plugins-system"],"pid":8685,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,embeddable,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,dataExplorer,bfetch,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh]"} Mar 05 15:54:37 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:37Z","tags":["error","opensearch","data"],"pid":8685,"message":"[ResponseError]: Response Error"} Mar 05 15:54:38 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:38Z","tags":["error","opensearch","data"],"pid":8685,"message":"[ResponseError]: Response Error"} Mar 05 15:54:38 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:38Z","tags":["listening","info"],"pid":8685,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:54:38 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:54:38Z","tags":["info","http","server","OpenSearchDashboards"],"pid":8685,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:55:29 ip-172-31-34-139.ec2.internal systemd[1]: Stopping wazuh-dashboard... -- Subject: Unit wazuh-dashboard.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has begun shutting down. Mar 05 15:55:29 ip-172-31-34-139.ec2.internal opensearch-dashboards[8685]: {"type":"log","@timestamp":"2024-03-05T15:55:29Z","tags":["info","plugins-system"],"pid":8685,"message":"Stopping all plugins."} Mar 05 15:55:29 ip-172-31-34-139.ec2.internal systemd[1]: Stopped wazuh-dashboard. -- Subject: Unit wazuh-dashboard.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has finished shutting down. Mar 05 15:55:29 ip-172-31-34-139.ec2.internal systemd[1]: Started wazuh-dashboard. -- Subject: Unit wazuh-dashboard.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has finished starting up. -- -- The start-up result is done. Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"pid":10597,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"pid":10597,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-service"],"pid":10597,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:55:41 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:41Z","tags":["info","plugins-system"],"pid":10597,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,visualize,ganttChartDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:55:42 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:42Z","tags":["info","savedobjects-service"],"pid":10597,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["info","savedobjects-service"],"pid":10597,"message":"Starting saved objects migrations"} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["info","plugins-system"],"pid":10597,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,visualize,ganttChartDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:55:43 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:43Z","tags":["listening","info"],"pid":10597,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:55:44 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"log","@timestamp":"2024-03-05T15:55:44Z","tags":["info","http","server","OpenSearchDashboards"],"pid":10597,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:55:46 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T15:55:45Z","tags":[],"pid":10597,"method":"get","statusCode":200,"req":{"url":"/status","method":"get","headers":{"host":"localhost","user-agent":"curl/8.3.0","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.3.0"},"res":{"statusCode":200,"responseTime":732,"contentLength":9},"message":"GET /status 200 732ms - 9.0B"} Mar 05 16:26:29 ip-172-31-34-139.ec2.internal opensearch-dashboards[10597]: {"type":"response","@timestamp":"2024-03-05T16:26:29Z","tags":[],"pid":10597,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"107.23.229.53","user-agent":"Mozilla/5.0 zgrab/0.x","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"192.241.229.40","userAgent":"Mozilla/5.0 zgrab/0.x"},"res":{"statusCode":302,"responseTime":18,"contentLength":9},"message":"GET / 302 18ms - 9.0B"} [root@ip-172-31-34-139 ec2-user]# ```

Errors

```shellsession [root@ip-172-31-34-139 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" [root@ip-172-31-34-139 ec2-user]# ```

Ubuntu 22 :green_circle:

Agent status

```shellsession ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-03-05 15:57:36 UTC; 39min ago Main PID: 54380 (node) Tasks: 11 (limit: 4632) Memory: 193.9M CPU: 17.002s CGroup: /system.slice/wazuh-dashboard.service └─54380 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Mar 05 15:57:49 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:49Z","tags":["info","plugins-service"],"pid":54380,"message":"Plugin \"dataSource\" is disabled.> Mar 05 15:57:49 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:49Z","tags":["info","plugins-service"],"pid":54380,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:57:50 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:50Z","tags":["info","plugins-system"],"pid":54380,"message":"Setting up [48] plugins: [usageColl> Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","savedobjects-service"],"pid":54380,"message":"Waiting until all OpenSearch > Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","savedobjects-service"],"pid":54380,"message":"Starting saved objects migrat> Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","plugins-system"],"pid":54380,"message":"Starting [48] plugins: [usageCollec> Mar 05 15:57:53 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:53Z","tags":["listening","info"],"pid":54380,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:57:53 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:53Z","tags":["info","http","server","OpenSearchDashboards"],"pid":54380,"message":"http server r> Mar 05 15:58:08 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"response","@timestamp":"2024-03-05T15:58:07Z","tags":[],"pid":54380,"method":"get","statusCode":200,"req":{"url":"/status","method":> Mar 05 16:29:26 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"response","@timestamp":"2024-03-05T16:29:26Z","tags":[],"pid":54380,"method":"get","statusCode":302,"req":{"url":"/","method":"get",> ~ ~ ~ lines 1-20/20 (END) ```

Service status

```shellsession root@ip-172-31-32-170:/home/ubuntu# journalctl -xe -u wazuh-dashboard.service --no-pager Mar 05 15:56:32 ip-172-31-32-170 systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 3718. Mar 05 15:56:46 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:46Z","tags":["info","plugins-service"],"pid":52210,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:56:46 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:46Z","tags":["info","plugins-service"],"pid":52210,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:56:46 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:46Z","tags":["info","plugins-service"],"pid":52210,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:56:46 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:46Z","tags":["info","plugins-system"],"pid":52210,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:56:48 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:48Z","tags":["info","savedobjects-service"],"pid":52210,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:56:48 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:48Z","tags":["info","savedobjects-service"],"pid":52210,"message":"Starting saved objects migrations"} Mar 05 15:56:48 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:48Z","tags":["info","savedobjects-service"],"pid":52210,"message":"Creating index .kibana_1."} Mar 05 15:56:49 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:49Z","tags":["info","savedobjects-service"],"pid":52210,"message":"Pointing alias .kibana to .kibana_1."} Mar 05 15:56:49 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:49Z","tags":["info","savedobjects-service"],"pid":52210,"message":"Finished in 460ms."} Mar 05 15:56:49 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:49Z","tags":["info","plugins-system"],"pid":52210,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:56:50 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:50Z","tags":["error","opensearch","data"],"pid":52210,"message":"[ResponseError]: Response Error"} Mar 05 15:56:50 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:50Z","tags":["error","opensearch","data"],"pid":52210,"message":"[ResponseError]: Response Error"} Mar 05 15:56:51 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:51Z","tags":["listening","info"],"pid":52210,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:56:52 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:56:52Z","tags":["info","http","server","OpenSearchDashboards"],"pid":52210,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:57:36 ip-172-31-32-170 opensearch-dashboards[52210]: {"type":"log","@timestamp":"2024-03-05T15:57:36Z","tags":["info","plugins-system"],"pid":52210,"message":"Stopping all plugins."} Mar 05 15:57:36 ip-172-31-32-170 systemd[1]: Stopping wazuh-dashboard... ░░ Subject: A stop job for unit wazuh-dashboard.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has begun execution. ░░ ░░ The job identifier is 4240. Mar 05 15:57:36 ip-172-31-32-170 systemd[1]: wazuh-dashboard.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-dashboard.service has successfully entered the 'dead' state. Mar 05 15:57:36 ip-172-31-32-170 systemd[1]: Stopped wazuh-dashboard. ░░ Subject: A stop job for unit wazuh-dashboard.service has finished ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has finished. ░░ ░░ The job identifier is 4240 and the job result is done. Mar 05 15:57:36 ip-172-31-32-170 systemd[1]: wazuh-dashboard.service: Consumed 13.380s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-dashboard.service completed and consumed the indicated resources. Mar 05 15:57:36 ip-172-31-32-170 systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 4240. Mar 05 15:57:49 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:49Z","tags":["info","plugins-service"],"pid":54380,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:57:49 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:49Z","tags":["info","plugins-service"],"pid":54380,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:57:49 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:49Z","tags":["info","plugins-service"],"pid":54380,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:57:50 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:50Z","tags":["info","plugins-system"],"pid":54380,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTable,visTypeTimeline,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","savedobjects-service"],"pid":54380,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","savedobjects-service"],"pid":54380,"message":"Starting saved objects migrations"} Mar 05 15:57:51 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:51Z","tags":["info","plugins-system"],"pid":54380,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTable,visTypeTimeline,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:57:53 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:53Z","tags":["listening","info"],"pid":54380,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:57:53 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"log","@timestamp":"2024-03-05T15:57:53Z","tags":["info","http","server","OpenSearchDashboards"],"pid":54380,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:58:08 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"response","@timestamp":"2024-03-05T15:58:07Z","tags":[],"pid":54380,"method":"get","statusCode":200,"req":{"url":"/status","method":"get","headers":{"host":"localhost","user-agent":"curl/7.81.0","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/7.81.0"},"res":{"statusCode":200,"responseTime":796,"contentLength":9},"message":"GET /status 200 796ms - 9.0B"} Mar 05 16:29:26 ip-172-31-32-170 opensearch-dashboards[54380]: {"type":"response","@timestamp":"2024-03-05T16:29:26Z","tags":[],"pid":54380,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"3.93.12.79","user-agent":"Mozilla/5.0 zgrab/0.x","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"192.241.222.99","userAgent":"Mozilla/5.0 zgrab/0.x"},"res":{"statusCode":302,"responseTime":11,"contentLength":9},"message":"GET / 302 11ms - 9.0B"} root@ip-172-31-32-170:/home/ubuntu# ```

Errors

```shellsession root@ip-172-31-32-170:/home/ubuntu# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" root@ip-172-31-32-170:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Tue 2024-03-05 15:58:03 UTC; 39min ago Main PID: 21603 (node) Tasks: 11 (limit: 22632) Memory: 215.7M CPU: 15.889s CGroup: /system.slice/wazuh-dashboard.service └─21603 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Mar 05 15:58:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:17Z","tags":["info","plugins-service"],"pid":21603,"message":"Plugin \"dataSource\" > Mar 05 15:58:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:17Z","tags":["info","plugins-service"],"pid":21603,"message":"Plugin \"visTypeXy\" i> Mar 05 15:58:18 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:18Z","tags":["info","plugins-system"],"pid":21603,"message":"Setting up [48] plugins> Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","savedobjects-service"],"pid":21603,"message":"Waiting until all> Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","savedobjects-service"],"pid":21603,"message":"Starting saved ob> Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","plugins-system"],"pid":21603,"message":"Starting [48] plugins: > Mar 05 15:58:20 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:20Z","tags":["listening","info"],"pid":21603,"message":"Server running at https://0.> Mar 05 15:58:21 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:21Z","tags":["info","http","server","OpenSearchDashboards"],"pid":21603,"message":"h> Mar 05 15:58:37 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"response","@timestamp":"2024-03-05T15:58:36Z","tags":[],"pid":21603,"method":"get","statusCode":200,"req":{"url":"/statu> Mar 05 16:36:57 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"response","@timestamp":"2024-03-05T16:36:57Z","tags":[],"pid":21603,"method":"get","statusCode":302,"req":{"url":"/","me> ~ ~ ~ lines 1-20/20 (END) ```

Service status

```shellsession [root@ip-172-31-36-46 ec2-user]# journalctl -xe -u wazuh-dashboard.service --no-pager Mar 05 15:57:00 ip-172-31-36-46.ec2.internal systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 7017. Mar 05 15:57:12 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:12Z","tags":["info","plugins-service"],"pid":19423,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:57:12 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:12Z","tags":["info","plugins-service"],"pid":19423,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:57:12 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:12Z","tags":["info","plugins-service"],"pid":19423,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:57:13 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:13Z","tags":["info","plugins-system"],"pid":19423,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:57:15 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:15Z","tags":["info","savedobjects-service"],"pid":19423,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:57:15 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:15Z","tags":["info","savedobjects-service"],"pid":19423,"message":"Starting saved objects migrations"} Mar 05 15:57:15 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:15Z","tags":["info","savedobjects-service"],"pid":19423,"message":"Creating index .kibana_1."} Mar 05 15:57:16 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:16Z","tags":["info","savedobjects-service"],"pid":19423,"message":"Pointing alias .kibana to .kibana_1."} Mar 05 15:57:16 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:16Z","tags":["info","savedobjects-service"],"pid":19423,"message":"Finished in 420ms."} Mar 05 15:57:16 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:16Z","tags":["info","plugins-system"],"pid":19423,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Mar 05 15:57:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:17Z","tags":["error","opensearch","data"],"pid":19423,"message":"[ResponseError]: Response Error"} Mar 05 15:57:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:17Z","tags":["error","opensearch","data"],"pid":19423,"message":"[ResponseError]: Response Error"} Mar 05 15:57:18 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:18Z","tags":["listening","info"],"pid":19423,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:57:18 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:57:18Z","tags":["info","http","server","OpenSearchDashboards"],"pid":19423,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:58:02 ip-172-31-36-46.ec2.internal systemd[1]: Stopping wazuh-dashboard... ░░ Subject: A stop job for unit wazuh-dashboard.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has begun execution. ░░ ░░ The job identifier is 7284. Mar 05 15:58:02 ip-172-31-36-46.ec2.internal opensearch-dashboards[19423]: {"type":"log","@timestamp":"2024-03-05T15:58:02Z","tags":["info","plugins-system"],"pid":19423,"message":"Stopping all plugins."} Mar 05 15:58:03 ip-172-31-36-46.ec2.internal systemd[1]: wazuh-dashboard.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-dashboard.service has successfully entered the 'dead' state. Mar 05 15:58:03 ip-172-31-36-46.ec2.internal systemd[1]: Stopped wazuh-dashboard. ░░ Subject: A stop job for unit wazuh-dashboard.service has finished ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has finished. ░░ ░░ The job identifier is 7284 and the job result is done. Mar 05 15:58:03 ip-172-31-36-46.ec2.internal systemd[1]: wazuh-dashboard.service: Consumed 12.655s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-dashboard.service completed and consumed the indicated resources. Mar 05 15:58:03 ip-172-31-36-46.ec2.internal systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 7284. Mar 05 15:58:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:17Z","tags":["info","plugins-service"],"pid":21603,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Mar 05 15:58:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:17Z","tags":["info","plugins-service"],"pid":21603,"message":"Plugin \"dataSource\" is disabled."} Mar 05 15:58:17 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:17Z","tags":["info","plugins-service"],"pid":21603,"message":"Plugin \"visTypeXy\" is disabled."} Mar 05 15:58:18 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:18Z","tags":["info","plugins-system"],"pid":21603,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeTimeline,visTypeMarkdown,visTypeVega,visTypeTable,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,visualize,ganttChartDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,bfetch,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh]"} Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","savedobjects-service"],"pid":21603,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","savedobjects-service"],"pid":21603,"message":"Starting saved objects migrations"} Mar 05 15:58:19 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:19Z","tags":["info","plugins-system"],"pid":21603,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeTimeline,visTypeMarkdown,visTypeVega,visTypeTable,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,visualize,ganttChartDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,bfetch,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh]"} Mar 05 15:58:20 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:20Z","tags":["listening","info"],"pid":21603,"message":"Server running at https://0.0.0.0:443"} Mar 05 15:58:21 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"log","@timestamp":"2024-03-05T15:58:21Z","tags":["info","http","server","OpenSearchDashboards"],"pid":21603,"message":"http server running at https://0.0.0.0:443"} Mar 05 15:58:37 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"response","@timestamp":"2024-03-05T15:58:36Z","tags":[],"pid":21603,"method":"get","statusCode":200,"req":{"url":"/status","method":"get","headers":{"host":"localhost","user-agent":"curl/7.76.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/7.76.1"},"res":{"statusCode":200,"responseTime":1131,"contentLength":9},"message":"GET /status 200 1131ms - 9.0B"} Mar 05 16:36:57 ip-172-31-36-46.ec2.internal opensearch-dashboards[21603]: {"type":"response","@timestamp":"2024-03-05T16:36:57Z","tags":[],"pid":21603,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"34.230.23.84","user-agent":"Mozilla/5.0 zgrab/0.x","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"192.241.197.39","userAgent":"Mozilla/5.0 zgrab/0.x"},"res":{"statusCode":302,"responseTime":6,"contentLength":9},"message":"GET / 302 6ms - 9.0B"} [root@ip-172-31-36-46 ec2-user]# ```

:yellow_circle: Errors

:yellow_circle: Related issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6312 ```shellsession [root@ip-172-31-36-46 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" {"date":"2024-03-05T15:57:17.896Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"} {"date":"2024-03-05T15:58:20.814Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"} [root@ip-172-31-36-46 ec2-user]# ```

[davidcr01]

Additional tests

Accessing Wazuh web interface :green_circle:

Amazon Linux 2 :green_circle:

Ubuntu 22 :green_circle:

RHEL9 :green_circle:

[damarisg]

LGTM!